Skip to content

Latest commit

 

History

History
156 lines (113 loc) · 5.87 KB

readme.md

File metadata and controls

156 lines (113 loc) · 5.87 KB
Raw

lab-03 - create ARM template to provision 2 Network Security Groups and one private virtual network

In this lab we will provision the following components of out infrastructure for dev environment.

infra-dev

Note. AKS and ApplicationGateway are outside of the scope of our labs, but will be covered at the part 2 the workshop...

Estimated completion time - 20 min

Useful links

Task #1 - Network Security Group for AGW subnet

Create new ARM template called template.json and add new resource defining Network Security Group called iac-dev-agw-nsg with 3 rules:

name: INT-T443-IN-ALLOW
description: ""
protocol: Tcp
sourcePortRange: *
destinationPortRange: 443
sourceAddressPrefix: Internet
destinationAddressPrefix: 10.112.16.128/25
access: Allow
priority: 100
direction: Inbound

name: INT-T80-IN-ALLOW
description: ""
protocol: Tcp
sourcePortRange: *
destinationPortRange: 80
sourceAddressPrefix: Internet
destinationAddressPrefix: 10.112.16.128/25
access: Allow
priority: 101
direction: Inbound

name: AKS-T443-OUT-ALLOW
description: ""
protocol: Tcp
sourcePortRange: *
destinationPortRange: 443
sourceAddressPrefix: 10.112.16.128/25
destinationAddressPrefix: 10.112.0.0/20
access: Allow
priority: 102
direction: Outbound

Hint. Try to use arm-nsg snippet of Azure Resource Manager (ARM) Tools or check this example ARM 101: Create a Network Security Group for the Network Security Group ARM template syntax.

Validate template

az deployment group validate --template-file template.json -g iac-dev-rg

Deploy ARM template

az deployment group create -g iac-dev-rg --template-file template.json

Task #2 - create Network Security Group for AKS subnet

Add new resource defining Network Security Group called iac-dev-aks-nsg with 1 rule:

name: AGW-T443-IN-ALLOW
description: ""
protocol: Tcp
sourcePortRange: *
destinationPortRange: 443
sourceAddressPrefix: 10.112.16.128/25
destinationAddressPrefix: 10.112.0.0/20
access: Allow
priority: 100
direction: Inbound

Hint. Try to use arm-nsg snippet of Azure Resource Manager (ARM) Tools or check this example ARM 101: Create a Network Security Group for the Network Security Group ARM template syntax.

Validate template

az deployment group validate --template-file template.json -g iac-dev-rg

Deploy ARM template

az deployment group create -g iac-dev-rg --template-file template.json

Task #3 - create new private Virtual Network

Add new resource defining private Virtual Network called iac-dev-vnet with 2 subnets and the following specifications:

VNet name: iac-dev-vnet
addressPrefix: 10.112.0.0/16

Subnets:
    name: aks-net
    addressPrefix: 10.112.0.0/20
    networkSecurityGroup.id: iac-dev-aks-nsg

    name: agw-net
    addressPrefix: 10.112.16.128/25
    networkSecurityGroup.id: iac-dev-agw-nsg

Hint. Try to use arm-vnet snippet of ARM template reference for virtual Networks or check this example ARM 101: Virtual Network with two Subnets for the Virtual Network ARM template syntax.

Hint #1

Our subnet uses network security group that are described at the same template, therefore we should specify nsg resources as dependencies of vnet resource. Read more about how to define the order for deploying resources in ARM templates

Hint #2

To specify nsg for subnet definition, use networkSecurityGroup property an set id field by using resourceId function. Read more about resourceId function

Validate template

az deployment group validate --template-file template.json -g iac-dev-rg

Deploy ARM template

az deployment group create -g iac-dev-rg --template-file template.json

Checkpoint

  • You should have one ARM template with 3 resources
  • You should see (at least) 3 deployments at the resource groups level

Next

Go to lab-04